Versions Compared

Old Version 1

changes.mady.by.user Pawel Pawlak

Saved on

compared with

New Version 2

changes.mady.by.user Pawel Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Action from one of the last meetings: Muddasar will prepare grade rate assessment proposal.

Jira No
SummaryDescriptionStatusSolution

LFN Developer & Testing Forum

Event June 13th-16th Porto, Portugal

Please register:

Issue raised with SECCOM by Kohei - About Critical Information Leak

Ticket to be open to SDNC – last message to SECCOM on token and logins/passwords.

started

Ticket to be opened to SDNC:  https://jiraevents.onaplinuxfoundation.org/browse/SDNClfn-1691 - done

Confirmation e-mail to be sent to Kohei - done

CPS gold badge 

2 tickets created at LFN IT:

  • IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP
  • IT-23829 Hardening LFN hosted ONAP project web sites
startedIstanbul Maintenance Release Notes

https://jira.onap.org/browse/CCSDK-3602malformed table, needs to be fixed!

https://jira.onap.org/browse/SDNC-1670 AAF transitive dependency

ongoingPTLs meeting on April 4th
  • Istanbul Maintenance Release (log 4j mitigation) - All documented Jira issues resolved.  Release is completed.
  • Unmaintained project discussion
  • New GUI project as Portal alternative
ongoingWe shall provide SECCOM proposal/ recommendation for unmaintained projects to TSC, synch up with Architecture Subcommittee is needed, Byung will check with Chaker. Amy to draft proposal by end of this week and send to SECCOM distribution list.

TSC meeting on March 31st:

ongoingSBOM status update

Vijay turned flag on. To be followed up with Jess. SBOM for Python?

Fabin is using Trivy with CycloneDX format. No option for SPDX.

ongoingTony to re-share the e-mail.Updates to Secure Design Questionnaire - Maggie

developer-testing-forum/

started


SECCOM topics proposal:

  • Log4j fix implementation in Istanbul Maintenance Release – retrospective
  • Jakarta security status update
  • Kohn security goals
  • others?



Synch with OOM

1.SDC-3954

2.SDNC-1692

3.OOM-2957

    • fix root_pods in Jakarta release:

1.OOM-2958

2.INT-2104




Asessment model

Muddasar presented a proposal for 5Y assessment model:

View file
nameONAP Assessment _04082022_MSA_V0.pptx
height150

Assesment should be for a ONAP project as a whole. Report should be actionable - movement rule from level to the other is defined. It should also include process or tool improvement recommendation.

We could use SAMM tool and some of our and their questions to have quick and easy asessment. Risk/threat model to be used.

Asessment models are usually based on interviews.

started

Issue raised with SECCOM by Kohei - About Critical Information Leak

Ticket was opened to SDNC:  https://jira.onap.org/browse/SDNC-1691 log file was removed from the Wiki.

started

Confirmation e-mail to be sent to Kohei by Amy.


Synch with Architecture Subcommittee

-LF Security conformance - Byung

Amy saw presentation of LF CEO

-Unmaintained projects proposals - Byung

We focus on Portal first and then on AAF.

startedByung to send an e-mail to Kenny to get LFX Security presentation for SECCOM.

Code quality

Fabian provided a presentation:

View file
nameSonarQube.pptx
height150

In clean as you code developer shall be motivated.

Quality gate conditions shall be generalized.

Usage of Sonarlint allows for faster detection (on the fly) comparing to Conarccloud.

Security hotspots, we need to have a reviewer in this arrea that would do the action (e.g. acknowledge). Jiras were setup in a special way.  

Commercial tool provides a way to fix the issue.

ongoing

CPS gold badge 

2 tickets created at LFN IT:

  • IT-23828 2FA (2 Factor Authentication) needed for merging to Gerrit in ONAP
  • IT-23829 Hardening LFN hosted ONAP project web sites

Bruno mentioned:

  • Security review
  • dynamic tool analysis
  • Runtime asertion
started

E-mail to be shared with Bruno o tickets and links - done

No additional comments. 

ongoing

Security logging update – Bob

PoC phase, communication with Toine. Synch with Byung needed.

ongoingBob to contact Byung.Linux Security Summit - CFP
  • Linux Security Summit, happening June 23-24 in Austin, Texas + Virtual!
    Don't delay - submissions are due Wednesday, March 30. View suggested topics, learn more and submit here https://events.linuxfoundation.org/linux-security-summit-north-america/program/cfp/
  • We plan to submit with Amy presentation proposal for Global Security Vulnerability Summit - submitted
  • Tony’s proposal for Security principles in the implementation - submitted
ongoing

SBOM visibility to be created in the deck - consultancy with Muddasar is planned.

Next ONAP F2F

https://events.linuxfoundation.org/lfn-developer-testing-forum/ - registration open

startedPlease consider your personal particiapation, so SECCOM team could meet again

.


SECCOM MEETING CALL WILL BE HELD ON 19th OF April'22. Quality gates for code quality improvements - Fabian's presentation.

SonarCloud fixing with new code focus.







Recording: 

View file
name2022-04-12_SECCOM_week_part1.mp4
height150

...

View file
name2022-04-12_SECCOM_week_part2.mp4
height150

SECCOM presentation:

View file
name2022-04-12 ONAP Security Meeting - AgendaAndMinutes.pptx
height150